clear-pkgs-linux-iot-lts2018/fragment-sos

CONFIG_LOCALVERSION=""
CONFIG_DEFAULT_HOSTNAME="clr"
CONFIG_EXTRA_FIRMWARE="i915/bxt_dmc_ver1_07.bin i915/bxt_dmc_ver1.bin i915/bxt_guc_32.0.3.bin i915/bxt_guc_ver8_7.bin i915/bxt_guc_ver9_29.bin i915/bxt_huc_ver01_07_1398.bin i915/bxt_huc_ver01_8_2893.bin i915/cnl_dmc_ver1_06.bin i915/cnl_dmc_ver1_07.bin i915/glk_dmc_ver1_04.bin i915/glk_guc_32.0.3.bin i915/glk_huc_ver03_01_2893.bin i915/icl_dmc_ver1_07.bin i915/icl_guc_32.0.3.bin i915/icl_huc_ver8_4_3238.bin i915/kbl_dmc_ver1_01.bin i915/kbl_dmc_ver1_04.bin i915/kbl_dmc_ver1.bin i915/kbl_guc_32.0.3.bin i915/kbl_guc_ver9_14.bin i915/kbl_guc_ver9_39.bin i915/kbl_huc_ver02_00_1810.bin i915/skl_dmc_ver1_23.bin i915/skl_dmc_ver1_26.bin i915/skl_dmc_ver1_27.bin i915/skl_dmc_ver1.bin i915/skl_guc_32.0.3.bin i915/skl_guc_ver1.bin i915/skl_guc_ver4.bin i915/skl_guc_ver6_1.bin i915/skl_guc_ver6.bin i915/skl_guc_ver9_33.bin i915/skl_huc_ver01_07_1398.bin"
CONFIG_EXTRA_FIRMWARE_DIR="firmware"
CONFIG_E100=m
CONFIG_E1000=m
# CONFIG_SECURITY_SELINUX is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
# CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND is not set
CONFIG_DRM_I915_LOW_LEVEL_TRACEPOINTS=y

# The following settins are from kernel-config package
#
# Clear Linux Securty Mandatory Settings
#

CONFIG_SECURITY_DMESG_RESTRICT=y

# KASLR is required as a basic security hardening
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y

# NX is important for buffer overflow exploit hardening
CONFIG_STRICT_KERNEL_RWX=y

# Stack Protector is for buffer overflow detection and hardening
CONFIG_STACKPROTECTOR=y

# /dev/mem is dangerous and has no legitimate users anymore
# CONFIG_DEVMEM is not set

# /dev/mem is dangerous and access must be strictly limited
CONFIG_STRICT_DEVMEM=y
CONFIG_IO_STRICT_DEVMEM=y

# Needed to protect against targeted corruption by rootkits
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
CONFIG_SCHED_STACK_END_CHECK=y

# Needed to protect against Spectre V2
CONFIG_RETPOLINE=y

# Seccomp is a security feature needed by systemd
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y

# Protect against ioctl buffer overflows
CONFIG_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set

# Harden the slab free list with randomization
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y

# Guard pages for kernel stacks
CONFIG_VMAP_STACK=y
# TODO: Fixme we need to delete the next line
# CONFIG_VMAP_STACK is not set

# Perform extensive checks on reference counting
CONFIG_REFCOUNT_FULL=y

# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y

# Dangerous; enabling this allows direct physical memory writing
# CONFIG_ACPI_CUSTOM_METHOD is not set

# Dangerous; enabling this disables brk ASLR
# CONFIG_COMPAT_BRK is not set

# Dangerous; enabling this allows direct kernel memory writing.
# CONFIG_DEVKMEM is not set

# Dangerous; exposes kernel text image layout
# CONFIG_PROC_KCORE is not set

# Dangerous; enabling this disables VDSO ASLR
# CONFIG_COMPAT_VDSO is not set

# Prior to v4.1, assists heap memory attacks; best to keep interface disabled
# CONFIG_INET_DIAG is not set

# Use the modern PTY interface (devpts) only
# CONFIG_LEGACY_PTYS is not set

# Ensure modules have NX enabled
CONFIG_DEBUG_SET_MODULE_RONX=y
CONFIG_STRICT_MODULE_RWX=y

# Signing of kernel modules is required
CONFIG_MODULE_SIG=y

# Enforce module signing
CONFIG_MODULE_SIG_FORCE=y

# Use SHA512 for kernel module signing
CONFIG_MODULE_SIG_SHA512=y

# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
CONFIG_LEGACY_VSYSCALL_NONE=y

# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
CONFIG_PAGE_TABLE_ISOLATION=y

# X32 is rarely used and provides only attack surface
# CONFIG_X86_X32 is not set

# Unused dangerous option
# CONFIG_MODIFY_LDT_SYSCALL is not set